Security Series - I: Building Blocks of Cloud Security
By Milind Borate
A good security program is built on a strong foundation. We need to consider how data is transmitted, accessed and stored, and then implement focused strategies to address these scenarios. Together, these strategies build a structure that ensures data is protected with the strongest security.
With Druva inSync public cloud, our security structure is based on four pillars, and by focusing on these areas, we can implement technologies combined with secure processes and provide inSync data 360° protection.
- Protecting data in motion
- Protecting data at rest
- Strict access protocols
- Regular process and privacy audits
Data in Motion
Let’s begin by talking about data at rest. We encrypt all data stored in the cloud and control access to this data with unique two-factor encryption. To gain access, administrators and end users need both their passwords and encryption keys, and these keys are not stored in the cloud or with the users. Even once authenticated, users never interact directly with data in the cloud - all requests come through an intermediary server. This means that if the underlying data storage is hacked, the data itself is not compromised.
Data at Rest
Additional protection for stored data comes from the cloud infrastructure itself. Each customer’s data is kept separate in its own virtual container. Customer data is never mixed, so an attempt against one customer would not affect any others. This also means that there isn’t a way for a valid user to somehow inadvertently access another customer’s data.
We don’t only have to make sure data is protected in the cloud - we have to ensure that it is protected when it’s in transit. We encrypt moving data with 256-bit SSL, which uses certificates signed by a trusted authority and protects against network eavesdropping attacks.
Authentication and Authorization
inSync integrates with a client’s existing single sign-on or Active Directory solution in order to help IT govern inSync data. This means that an organization’s existing identity and access policies can apply to inSync, while users can use the same identifying information they use to access other business systems.
Team Sandboxing and Audits
Finally, we understand that security isn’t something you do once. It’s important to continually review policies and procedures and ensure that data is protected. We work with 3rd party auditors to provide verification that inSync security is up to par and works as promised. Furthermore, we regularly conduct penetration and vulnerability testing to make sure that patches or improvements do not introduce any weaknesses into our security structure.
By focusing on the four key areas of data protection, we’ve built a targeted cloud security structure. Careful architecting allows us to protect data as it is accessed and stored, while also enabling our customers to implement their own policies. In the end this means that each customer’s security structure may look a bit different but the data is still protected from any passing storms.